At a glance.
- Lessons from FTX.
- Latest ESF guidance on supply chain security says SBOMs are key.
- Offensive cyber operations from DoD and DOJ.
Lessons from FTX.
The collapse of the FTX cryptocurrency exchange, the third-largest such exchange in the world, has amplified the debate over how to regulate the unwieldy beast that is the crypto market. The Atlantic Council offers their recommendations for preventing an implosion similar to FTX’s in the future. The first step is to have financial regulators and industry leaders implement “proof of reserves,” requiring large, centralized exchanges and custodians prove and document their assets and liabilities, preventing them from secretly using customer funds in risky investments. Some players in the sector have already moved to adopt this measure voluntarily, and lawmakers could put their weight behind it to make it more universal.
Second, the crypto market could engage in self-policing, much like the self-regulatory organizations that implement and enforce industry standards in the traditional finance sector. And third, some larger crypto companies (Binance, anyone?) rely on the “everywhere but nowhere” argument to evade established principles about regulators’ jurisdiction. Some experts argue regulators have a responsibility to reinforce the fact that US regulations still apply to products and services that are regularly sold in the US – which would include crypto – in order to prevent fraud or other illicit conduct.
Latest ESF guidance on supply chain security says SBOMs are key.
Yesterday the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) released the third and last installment of a series of guidelines on securing the software supply chain. As CISA explains, the series is an output of the Enduring Security Framework (ESF), a public-private, cross-sector working group. The first two installments of the series were geared towards developers and suppliers, while the third offers best practices for software customers to ensure the integrity of software they use across the acquisition, deployment, and operational phases of a software supply chain.
The Federal News Network notes that the guidelines highlight the importance of Software Bills of Materials (SBOMs) in order to properly evaluate the contents of a piece of software during the procurement process. “This verification should include attributes such as geolocation, supplier ownership or control, Data Universal Numbering System (DUNS) verification, and past performances,” the guidance states. The inclusion of SBOMs in the guidance is significant, as the tech industry has pushed back against legislation that would make SBOMs a requirement for federal contractors.
The Office of Management and Budget also recently recommended government agencies require software vendors to verify they’re following the National Institute of Standards and Technology’s security standards, which also recommend SBOMs, and some some federal organizations, including the Army, are already pursuing SBOM adoption. Natalie Pittore, chief of the Enduring Security Framework (ESF), a public-private cross-sector working group led by NSA and CISA, stated, “ESF plans on releasing additional software security products. Our next releases will provide helpful information on SBOM consumption and extended developer guidance.”
Offensive cyber operations from DoD and DOJ.
The US Departments of Defense (DoD) and State have been engaged in a tug-of-war over which branch has the authority to conduct cyber operations, and sources say the DoD has won. According to CyberScoop, sources familiar with the matter say the DoD will be retaining the majority of the authorities it was granted by the Trump administration in 2018. An anonymous senior administration official says the State Department won some concessions as part of the revised policy document, and that the final version of the policy memorandum will require the DoD to share cyber operation details with the White House well in advance. The new policy also stipulates a dispute resolution process in which agencies will have the opportunity to flag operations they find concerning. According to the source, President Biden will be reviewing these authorities in a revised version of the Trump era National Security Policy Memorandum-13, which was intended to streamline the approval process for cyber operations. The State Department has long felt that NSMP-13 grats the DoD too much authority by prioritizing military cyberspace interests over those of civilian agencies. The source explained, “The debate was: ‘How much authority does State have to lay across the railroad tracks?’ That’s been the debate in the past few months, and it’s moved in DoD’s direction.” The Pentagon, State Department and U.S. Cyber Command did not respond to requests for comment.
Meanwhile, while testifying at a Senate Homeland Security Committee hearing yesterday, Federal Bureau of Investigation Director Christopher Wray said his agency has been carrying out offensive cyber operations against state and non-state cyber actors.“Offense is a critical part of our overall effort to push back against cyber adversaries,” Wray stated. As FOX 4 Kansas City WDAF-TV reports, Wray was responding to a question from Utah Senator Mitt Romney regarding the FBI’s offensive measures in cyberspace. Wray didn’t go into detail about the bureau’s cyber offensive operations, but he did state that the department engages in counterintelligence operations to shutdown adversaries’ infrastructure, obstruct malicious cryptocurrency schemes, and indict cybercriminals.